Biz & IT —

How I cracked my neighbor’s WiFi password without breaking a sweat

Readily available tools make cracking easier.

Last week's feature explaining why passwords are under assault like never before touched a nerve with many Ars readers, and with good reason. After all, passwords are the keys that secure Web-based bank accounts, sensitive e-mail services, and virtually every other facet of our online life. Lose control of the wrong password and it may only be a matter of time until the rest of our digital assets fall, too.

Take, for example, the hundreds of millions of WiFi networks in use all over the world. If they're like the ones within range of my office, most of them are protected by the WiFi Protected Access or WiFi Protected Access 2 security protocols. In theory, these protections prevent hackers and other unauthorized people from accessing wireless networks or even viewing traffic sent over them, but only when end users choose strong passwords. I was curious how easy it would be to crack these passcodes using the advanced hardware menus and techniques that have become readily available over the past five years. What I found wasn't encouraging.

First, the good news. WPA and WPA2 use an extremely robust password-storage regimen that significantly slows the speed of automated cracking programs. By using the PBKDF2 key derivation function along with 4,096 iterations of SHA1 cryptographic hashing algorithm, attacks that took minutes to run against the recent LinkedIn and eHarmony password dumps of June would require days or even weeks or months to complete against the WiFi encryption scheme.

What's more, WPA and WPA2 passwords require a minimum of eight characters, eliminating the possibility that users will pick shorter passphrases that could be brute forced in more manageable timeframes. WPA and WPA2 also use a network's SSID as salt, ensuring that hackers can't effectively use precomputed tables to crack the code.

That's not to say wireless password cracks can't be accomplished with ease, as I learned firsthand.

I started this project by setting up two networks with hopelessly insecure passphrases. The first step was capturing what is known as the four-way handshake, which is the cryptographic process a computer uses to validate itself to a wireless access point and vice versa. This handshake takes place behind a cryptographic veil that can't be pierced. But there's nothing stopping a hacker from capturing the packets that are transmitted during the process and then seeing if a given password will complete the transaction. With less than two hours practice, I was able to do just that and crack the dummy passwords "secretpassword" and "tobeornottobe" I had chosen to protect my test networks.

Brother, can you spare a deauth frame?

To capture a valid handshake, a targeted network must be monitored while an authorized device is validating itself to the access point. This requirement may sound like a steep hurdle, since people often stay connected to some wireless networks around the clock. It's easy to get around, however, by transmitting what's known as a deauth frame, which is a series of deauthorization packets an AP sends to client devices prior to it rebooting or shutting down. Devices that encounter a deauth frame will promptly rejoin an affected network.

Using the Silica wireless hacking tool sold by penetration-testing software provider Immunity for $2,500 a year, I had no trouble capturing a handshake established between a Netgear WGR617 wireless router and my MacBook Pro. Indeed, using freely available programs like Aircrack-ng to send deauth frames and capture the handshake isn't difficult. The nice thing about Silica is that it allowed me to pull off the hack with a single click of my mouse. In less than 90 seconds I had possession of the handshakes for the two networks in a "pcap" (that's short for packet capture) file. My Mac never showed any sign it had lost connectivity with the access points.

Enlarge/ A screenshot showing Immunity Inc.'s Silica wireless penetration-testing tool in action as it sends a deauth frame and then captures the resulting four-way handshake.

Dan Goodin

I then uploaded the pcap files to CloudCracker, a software-as-a-service website that charges $17 to check a WiFi password against about 604 million possible words. Within seconds both "secretpassword" and "tobeornottobe" were cracked. A special WPA mode built-in to the freely available oclHashcat Plus password cracker retrieved the passcodes with similar ease.

It was the neighborly thing to do

Cracking such passcodes I had set up in advance to be guessed was great for demonstration purposes, but it didn't provide much satisfaction. What I really wanted to know was how much luck I'd have cracking a password that was actually being used to secure one of the networks in the vicinity of my office.

So I got the permission of one of my office neighbors to crack his WiFi password. To his chagrin, it took CloudCracker just 89 minutes to crack the 10-character, all-numerical password he used, although because the passcode wasn't contained in the entry-level, 604 million-word list, I relied on a premium, 1.2 billion-word dictionary that costs $34 to use.

My fourth hack target presented itself when another one of my neighbors was selling the above-mentioned Netgear router during a recent sidewalk sale. When I plugged it in, I discovered that he had left the eight-character WiFi password intact in the firmware. Remarkably, neither CloudCracker nor 12 hours of heavy-duty crunching by Hashcat were able to crack the passphrase. The secret: a lower-case letter, followed two numbers, followed by five more lower-case letters. There was no discernible pattern to this password. It didn't spell any word either forwards or backwards. I asked the neighbor where he came up with the password. He said it was chosen years ago using an automatic generation feature offered by EarthLink, his ISP at the time. The e-mail address is long gone, the neighbor told me, but the password lives on.

No doubt, this neighbor should have changed his password long ago, but there is a lot to admire about his security hygiene nonetheless. By resisting the temptation to use a human-readable word, he evaded a fair amount of cutting-edge resources devoted to discovering his passcode. Since the code isn't likely to be included in any password cracking word lists, the only way to crack it would be to attempt every eight-character combination of letters and numbers. Such brute-force attacks are possible, but in the best of worlds they require at least six days to exhaust all the possibilities when using Amazon's EC2 cloud computing service. WPA's use of a highly iterated implementation of the PBKDF2 function makes such cracks even harder.

Besides changing the password every six months or so and not using a 10-digit phone number, my neighbors could have taken another important step to improve their WiFi security. WPA allows for passwords with 63 characters in them, making it possible to append four or five randomly selected words—"applesmithtrashcancarradar" for instance—that are easy enough to repeat to guests who want to use your wireless network but are prohibitively hard to crack.

Yes, the gains made by crackers over the past decade mean that passwords are under assault like never before. It's also true that it's trivial for hackers in your vicinity to capture the packets of the wireless access point that routes some of your most closely held secrets. But that doesn't mean you have to be a sitting duck. When done right, it's not hard to pick a passcode that will take weeks, months, or years to crack.

With odds like that, crackers are likely to move onto easier targets, say one that relies on the quickly guessed "secretpassword" or a well-known Shakespearean quote for its security.

Promoted Comments

This is all well and good, but one thing to keep in mind: if you have WiFi Protected Setup (WPS) enabled on your router (and you likely do if you bought a router in the past 4-5 years), it makes no difference how long or complex your WPA/WPA2 passkey is. If it is enabled, WPS can be easily cracked within 24 (or less in many cases) hours by breaking down the 8-character PIN into 2 halves, and cracking those halves. The 8th digit is actually a checksum of the first 7, so really you only have to guess the first 7. This amounts to 11,000 (!) possible combinations. Once cracked, your program of choice can request the full, unencrypted, plaintext WPA/WPA2 passkey, without ever having to touch it.

Oh, and this can all be done with free, open-source, readily available software, and requires very little hardware power.

Edit: Also, looking at the screen cap of the list of APs - many of them show WPS(ON). This makes an even stronger case for WPS cracking, as it takes less time, and you don't have to buy expensive software or spend lots of money on renting out EC2 servers to crack the WPA passkey.

I use multi-syllable words, but between each syllable I'll add a symbol. Then I'll follow up with some numbers. Probably not the most secure, but at least I can remember it.

Worst part is I've lived at a house where my landlord had an old lappy that was built during the integrated wifi WEP days. I downgraded the router to use WEP security, but the longest 26 char password. We live right on the corner of 2 main streets w/ a bus stop outside the wall of our backyard no less. I figured someone at the bus stop could have hacked into our router long ago. I'm moving soon. Gonna be glad to be away from WEP encryption.

While I understand the situation you were in; using a 26 character password did nothing to help you. WEP's issue is the intialization vector (IV) for each encrypted frame is only 16bits (IIRC) long. That means that after 2^16 uniquely encrypted frames you will have a frame that re-uses the IV. That in turn makes it very easy to get two frames (or more, usually many more) that used the same IV. From there it's a fairly trivial set of cryptanalysis techniques to identify the "master" key used to generate the encryption given the IV those frames used.

Quote:

To avoid looking like a COMPLETE noob, I did setup the router to only allow the specific MAC addresses for the devices we used.

MAC filtering is pointless. It's too easy to identify the MAC address of "allowed" devices and spoof the AP/Router by using one of those as "your" MAC.

As for the free versus pay for software. It's an irrelevance like security through obscurity, yes free software is likely to be good at this, yes an attacker is likely to not care about ease of use if they do this on a larger scale.

P.S. Regardless of the number of sentences, words or characters devoted to free software that can do this I found it abundantly clear that there were free alternatives and they could perform the same or similar functions.

MAC address filtering does not add security to a wireless network. It's useful to create an access control list if you are using a shared password among many people (say, at a business) and you don't want them to connect their IPad, IPhone, laptop, etc. all to the company network. Against an actual hack attempt though, it adds no security.

That's not necessarily true. On my wireless router I can configure the MAC filter as a whitelist or a blacklist. I have it configured as a whitelist, so unless I've logged into the router and put your MAC in, you can't get a connection to the wireless. At all.

I suspect this configuration is giving you a false sense of security, since it's trivial for me to read the MAC address of a machine that's already connected to your network and then spoof it and connect using my own computer.

Can anyone tell me why this wouldn't be possible?

You are right about the false sense of security. The MAC address is in the captured packets. Spoofing a Mac address is as easy as capturing the packets. all you need is a an application and a card with promiscuous mode.

You may want to check the free application Wireshark for capturing packets :

I have no doubt that someone with enough time and ambition could crack my home network. Believing otherwise is just foolish. But by not broadcasting the SSID, adding MAC filtering, disabling remote administration of the router, using WPA-2, using a unique character string for the network name, and strong passwords for both the network and the router, I'd like to think that it will deter 99% of people.

Your reccomendations are without value:

- not broadcasting the SSID = no difference, any war-driving stumbler application will display all SSID- MAC filtering = no difference, to siff packet, you need a promiscuous network card, which is also the requirement for sppofing MAC- disabling remote adminsitration= no difference, because the hacker is in the internal network, he/she is accessing the administration from the internal network- WPA-2 = only a difference vs. WEP, WPA-2 with less than 8 characters from an extended character set is crackable in a VERY short time- using a unique character string for the network name: used to make a difference because it prevented the sue of rainbow tables, no longer useful because bruteforcing has been gigantic leap with GPU-assisted password cracking- strong passwords for both the network and the router: duh !!!

Please note that implementing long response time or lock-down after too many attempts have 2 weaknesses:- open the door to DOS attack- cracking can be made offline against a dictionnary or by bruteforce

Even then, most consumer-level routers allow MAC address filtering, or doling out a specific number of DHPC addresses to further limit the devices that can attach to the network. Sure, they're not usually set by default, but it's simple to set up.

Sadly, it's even simpler to take the lazy way out and not mention that these ARE valid methods of enabling additional security on Aunt Helen's router.

There are tools that can spoof MAC addresses, so by enabling MAC address filtering on Aunt Helen's router will not make it 100% secure. If someone wants access to it, they will get it.

I use multi-syllable words, but between each syllable I'll add a symbol. Then I'll follow up with some numbers. Probably not the most secure, but at least I can remember it.

Worst part is I've lived at a house where my landlord had an old lappy that was built during the integrated wifi WEP days. I downgraded the router to use WEP security, but the longest 26 char password. We live right on the corner of 2 main streets w/ a bus stop outside the wall of our backyard no less. I figured someone at the bus stop could have hacked into our router long ago. I'm moving soon. Gonna be glad to be away from WEP encryption.

While I understand the situation you were in; using a 26 character password did nothing to help you. WEP's issue is the intialization vector (IV) for each encrypted frame is only 16bits (IIRC) long. That means that after 2^16 uniquely encrypted frames you will have a frame that re-uses the IV. That in turn makes it very easy to get two frames (or more, usually many more) that used the same IV. From there it's a fairly trivial set of cryptanalysis techniques to identify the "master" key used to generate the encryption given the IV those frames used.

Quote:

To avoid looking like a COMPLETE noob, I did setup the router to only allow the specific MAC addresses for the devices we used.

MAC filtering is pointless. It's too easy to identify the MAC address of "allowed" devices and spoof the AP/Router by using one of those as "your" MAC.

I am kind of surprised there has been no mention in this article of Reaver. The software is free, that kit is new, though.

Of course, there are a total of 5 WiFi networks within range of me, and I don't know or care to break into them. Did it once with Reaver, and since no one was home, I had nothing to really gain. Just an exercise to say I did it.

Of course, the WPS vulnerability is easily (kinda) circumvented by running firmware that doesn't even support it; OpenWRT, Tomato, DD-WRT, etc.

I have no doubt that someone with enough time and ambition could crack my home network. Believing otherwise is just foolish. But by not broadcasting the SSID, adding MAC filtering, disabling remote administration of the router, using WPA-2, using a unique character string for the network name, and strong passwords for both the network and the router, I'd like to think that it will deter 99% of people.

Your reccomendations are without value:

- not broadcasting the SSID = no difference, any war-driving stumbler application will display all SSID- MAC filtering = no difference, to siff packet, you need a promiscuous network card, which is also the requirement for sppofing MAC- disabling remote adminsitration= no difference, because the hacker is in the internal network, he/she is accessing the administration from the internal network- WPA-2 = only a difference vs. WEP, WPA-2 with less than 8 characters from an extended character set is crackable in a VERY short time- using a unique character string for the network name: used to make a difference because it prevented the sue of rainbow tables, no longer useful because bruteforcing has been gigantic leap with GPU-assisted password cracking- strong passwords for both the network and the router: duh !!!

Please note that implementing long response time or lock-down after too many attempts have 2 weaknesses:- open the door to DOS attack- cracking can be made offline against a dictionnary or by bruteforce

For instance, take an easy to remember password like "cat-toupee92" That right there is nine letters and two symbols/numbers. That's an 11 digit password right there. Sure, "cat" and "toupee" are probably in the dictionary based cracking algorithm, but then you pad it with your own pattern. So like, take "+" ten times before the "cat-toupee92", then like ")" ten times afterword. So the entire, easy to remember password is "++++++++++cat-toupee92))))))))))" That's a 31 digit password. Now, cracking software has no idea how many letters are usually allowed in a password. It's not like Wargames where they BAM, have one digit, then BAM they have two digits. It's either a pass/fail endeavor. It doesn't know what symbol or letter you used to pad the password. It doesn't know how many times. It doesn't know the pattern. As you could easily have done "+++++)))))cat-toupee92)))))+++++" as well, breaking up the pattern.

There are no sentences in there. It's basically gibberish. 31 digits of gibberish. I doubt you'd be able to crack it even giving the crackers the phrase "cat toupee".

OK I would like justification as to why this has always been a hallmark of standard security practices. Lets say someone is using either a dictionary or bruit force method to hack a password. If they do not accomplish this within 3 months (The usual time period most request a password change.) the likelihood of it being hacked is going to be negligible. Now you change it every 3 months. The chance of guessing that password now goes up if you are constantly changing it every 3 months.The only justification I've ever seen is that it repairs a compromised network\account that was not known to be compromised previously. But in that case the damage may have already been done.

My main password I use on my password safe is so insanely long. Because I don't change it. I ADD to it. So 4 months later I just add a character to the password making it more and more complex as time goes on.

My main password I use on my password safe is so insanely long. Because I don't change it. I ADD to it. So 4 months later I just add a character to the password making it more and more complex as time goes on.

Even then, most consumer-level routers allow MAC address filtering, or doling out a specific number of DHPC addresses to further limit the devices that can attach to the network. Sure, they're not usually set by default, but it's simple to set up.

Sadly, it's even simpler to take the lazy way out and not mention that these ARE valid methods of enabling additional security on Aunt Helen's router.

There are tools that can spoof MAC addresses, so by enabling MAC address filtering on Aunt Helen's router will not make it 100% secure. If someone wants access to it, they will get it.

That's not necessarily true. On my wireless router I can configure the MAC filter as a whitelist or a blacklist. I have it configured as a whitelist, so unless I've logged into the router and put your MAC in, you can't get a connection to the wireless. At all.

Well the issue with that is, the MAC addresses of any whitelisted MACs are going to be pretty freely available whenever one of those devices transmits. Then all your hacker has to do is spoof that MAC which is actually pretty easy to do these days. Unlike Ethernet nodes connected to a switch, multiple wireless devices with the same MAC won't automatically kill each other. In fact, I'm not too sure if all switches handle duplicate MACs properly either.

My main password I use on my password safe is so insanely long. Because I don't change it. I ADD to it. So 4 months later I just add a character to the password making it more and more complex as time goes on.

My main password I use on my password safe is so insanely long. Because I don't change it. I ADD to it. So 4 months later I just add a character to the password making it more and more complex as time goes on.

So how do you remember it?

Easy!! Written down on a blue, off-brand post-it stuck to the bottom of his keyboard.

Oh good, the entropy fetishists line up to rail against the evils of people not being random string generators, rather than admitting that requiring high entropy from human beings is a stupid idea.

Me, I consider wifi access to be basic hospitality. If I have to hunt down some long-ass password every time my friend wants to check their email, it's a Problem.

Wifi access is a basic condition of doing business. You have a meeting with clients, and they need wifi access. Sure, you COULD waste 20 minutes typing some long string of characters into every persons' tablet and laptop, but it wastes time and it seriously puts people off. That is also a Problem. On top of all their other problems, long or high-entropy password and soft keyboards don't mix.

Wifi access is also a basic condition of several sorts of retail, for instance running a coffee shop. If they want to provide wifi to their customers but prevent their neighbors from freeloading (as almost all do), they need a password that [1]they can give out over the checkout line, [2]can change periodically, and [3] is not a massive pain to type in.

Guest networks are the solution to this part of the problem. Many current routers offer them as an option. Ideally you should be granting a different level of access to visitors than local users of the network anyway.

There are still problems with expecting people to come up with their own entropy, I agree, but I don't think this is one of them.

Guest networks have their own issues. You are trusting the router to ensure that it is actually segmenting the traffic. Some routers don't do this well, or they have options to allow the guest network to see things on the private network.

I'm not saying don't use it, just make sure it's done right by testing the guest network.

I heard that repeating numbers (letters) like 0881 for an iPhone could keep most people out. I also wonder if the Apple TimeCapsule Wifi set up is vulnerable as I can sign on without using the WEP equivalent and using far less numbers and letters?

I'd like some more examples than the one given as to how to make a difficult password. When I am forced to use the maximum PC equivalent password I often make mistakes if I have to use a screen keyboard and a remote. It's tiresome.

There must be a better solution.

This was done by the Hak5 crew a few years ago. At the time I was using two words and a number to lock my wifi. After watching them crack a wpa secured network in a few hours--and a wep network in minutes--I started modifying how I secure my wireless.I use leetspeak sentences now. A short sentence like, "lockyouout!" is easy to remember. Then I modify. Always first letter of a word is caped. then random letters are changed to numbers, ex change would be L0ckY0u0u71. some tablets don't like punctuation, so I stick with letters and numbers.

I heard that repeating numbers (letters) like 0881 for an iPhone could keep most people out. I also wonder if the Apple TimeCapsule Wifi set up is vulnerable as I can sign on without using the WEP equivalent and using far less numbers and letters?

I'd like some more examples than the one given as to how to make a difficult password. When I am forced to use the maximum PC equivalent password I often make mistakes if I have to use a screen keyboard and a remote. It's tiresome.

There must be a better solution.

This was done by the Hak5 crew a few years ago. At the time I was using two words and a number to lock my wifi. After watching them crack a wpa secured network in a few hours--and a wep network in minutes--I started modifying how I secure my wireless.I use leetspeak sentences now. A short sentence like, "lockyouout!" is easy to remember. Then I modify. Always first letter of a word is caped. then random letters are changed to numbers, ex change would be L0ckY0u40u71. some tablets don't like punctuation, so I stick with letters and numbers.

Why not just use a longer sentence? Pennyalreadyeatsourfoodshecanpayforwifi, for example...

Besides changing the password every six months or so and not using a 10-digit phone number, my neighbors could have taken another important step to improve their WiFi security. WPA allows for passwords with 63 characters in them, making it possible to append four or five randomly selected words—"applesmithtrashcancarradar" for instance—that are easy enough to repeat to guests who want to use your wireless network but are prohibitively hard to crack.

Yes it does. Now imagine having to manually type that into a device that has limited input while getting it right? People pick easy passwords not just for memories sake.

Besides changing the password every six months or so and not using a 10-digit phone number, my neighbors could have taken another important step to improve their WiFi security. WPA allows for passwords with 63 characters in them, making it possible to append four or five randomly selected words—"applesmithtrashcancarradar" for instance—that are easy enough to repeat to guests who want to use your wireless network but are prohibitively hard to crack.

Yes it does. Now imagine having to manually type that into a device that has limited input while getting it right? People pick easy passwords not just for memories sake.

You're being as absurd as the person to whom you're replying. There is a happy middle ground that involves picking a reasonably secure password or pass phrase that doesn't involve 63 random characters of varying capitalization combined with numbers and odd characters.

Seems like this could be mitigated somewhat if routers were programmed to stop accepting login attempts for a period of time after a number of failed tries.

For those who are unaware, you can change your network card's MAC address, also called spoofing. If you try and lock people out after a few tries, they will just change the MAC address to look like a new client and try again. Now you can either let them or use some sort of algorithm to detect rapidly changing MACs and lock newcomers out, but this could also affect you. Especially if that asshole is spitting out deauth packets that kick you off the network.

Quote:

It's about numbers. Far more students trying to freeload internet off of community neighbourhoods versus the occasional industrial espionage case. It's hard to argue that there are more espionage agents than students.

This isn't about getting access to wifi. This is about seeing encrypted traffic on the WLAN unencrypted. Someone with this hack not only gets free wifi, but can sniff everyone else's traffic. Doesn't matter if you have one WPA password per user or one tunnel per user or whatever, the data is now unencrypted for the attacker to see.

In other words, while more people may be attempting to gain free wifi access, the attack itself isn't about those people.

Besides changing the password every six months or so and not using a 10-digit phone number, my neighbors could have taken another important step to improve their WiFi security. WPA allows for passwords with 63 characters in them, making it possible to append four or five randomly selected words—"applesmithtrashcancarradar" for instance—that are easy enough to repeat to guests who want to use your wireless network but are prohibitively hard to crack.

Yes it does. Now imagine having to manually type that into a device that has limited input while getting it right? People pick easy passwords not just for memories sake.

Nobody has brought it up yet, and it really doesn't apply to *most* home situations, but what about WPA2-Enterprise? Forgo passwords altogether and use PEAP with X.509 certificates. Not only is it easy for clients to connect (just install their certificate), a 1024-bit key has to be harder to crack. Add to that access point and authentication server certificates to authenticate the network to the client (preventing someone from creating a same-SSID network and capturing credentials, or disabling security so clients just connect and try to send sensitive information) and it's the best security/convenience tradeoff I can think of.

You can always tell you're talking about computer technology when your post is full of red squiggly lines, and nothing is misspelled.

An interesting distinction is between best practices for personal use and best practices which are good to recommend to normal people.

I have found that too aggressive of password security actually leads to less security. For example, requiring frequent password rotations leads users to choose easy to remember passwords (dictionary words and variants). Or complexity requirements lead to inevitable sticky notes on monitors and under keyboards.

Really, i'm more concerned about social exploits and malicious employees than I am about getting hacked by brute force.

Not that password selection is an unworthy subject. Thanks for the article! But also, there are many other things which people should concentrate on first. Number one being backups. I could harass my parents to pick better passwords but that time would be better spent making sure that their machines are getting backed up regularly.

This is all well and good, but one thing to keep in mind: if you have WiFi Protected Setup (WPS) enabled on your router (and you likely do if you bought a router in the past 4-5 years), it makes no difference how long or complex your WPA/WPA2 passkey is. If it is enabled, WPS can be easily cracked within 24 (or less in many cases) hours by breaking down the 8-character PIN into 2 halves, and cracking those halves. The 8th digit is actually a checksum of the first 7, so really you only have to guess the first 7. This amounts to 11,000 (!) possible combinations. Once cracked, your program of choice can request the full, unencrypted, plaintext WPA/WPA2 passkey, without ever having to touch it.

Oh, and this can all be done with free, open-source, readily available software, and requires very little hardware power.

Edit: Also, looking at the screen cap of the list of APs - many of them show WPS(ON). This makes an even stronger case for WPS cracking, as it takes less time, and you don't have to buy expensive software or spend lots of money on renting out EC2 servers to crack the WPA passkey.

Isn't WPS only on for a few minutes after physically pressing a button on the AP itself? Or is that just a friendly implementation detail that not all brands? I probably should check how my device behaves - I believed if someone gets into my house in order to temporarily enable WPS, they may as well just use the ethernet jack right next to the button ..

No, it was found that WPS is (pretty much) always on. Generally there is a setting in the router to disable WPS, but even that did not work on Linksys routers.

WPS is broken. It was not written by security people obviously. A couple companies did WPS right but most did not.

Besides changing the password every six months or so and not using a 10-digit phone number, my neighbors could have taken another important step to improve their WiFi security. WPA allows for passwords with 63 characters in them, making it possible to append four or five randomly selected words—"applesmithtrashcancarradar" for instance—that are easy enough to repeat to guests who want to use your wireless network but are prohibitively hard to crack.

Yes it does. Now imagine having to manually type that into a device that has limited input while getting it right? People pick easy passwords not just for memories sake.

Copy/paste is a common feature even with Windows Phone 7, no?

Roku's don't have a C&P, and some tablets are handicapped in that regard.

WPS is broken. It was not written by security people obviously. A couple companies did WPS right but most did not.

What about alternative firmware?

comlink wrote:

Nobody has brought it up yet, and it really doesn't apply to *most* home situations, but what about WPA2-Enterprise? Forgo passwords altogether and use PEAP with X.509 certificates. Not only is it easy for clients to connect (just install their certificate), a 1024-bit key has to be harder to crack. Add to that access point and authentication server certificates to authenticate the network to the client (preventing someone from creating a same-SSID network and capturing credentials, or disabling security so clients just connect and try to send sensitive information) and it's the best security/convenience tradeoff I can think of.

You can always tell you're talking about computer technology when your post is full of red squiggly lines, and nothing is misspelled.

Wonderful. Anyone know how to make a Radius server, easy to set up and use?

- not broadcasting the SSID = no difference, any war-driving stumbler application will display all SSID- MAC filtering = no difference, to siff packet, you need a promiscuous network card, which is also the requirement for sppofing MAC- disabling remote adminsitration= no difference, because the hacker is in the internal network, he/she is accessing the administration from the internal network- WPA-2 = only a difference vs. WEP, WPA-2 with less than 8 characters from an extended character set is crackable in a VERY short time- using a unique character string for the network name: used to make a difference because it prevented the sue of rainbow tables, no longer useful because bruteforcing has been gigantic leap with GPU-assisted password cracking- strong passwords for both the network and the router: duh !!!

Please note that implementing long response time or lock-down after too many attempts have 2 weaknesses:- open the door to DOS attack- cracking can be made offline against a dictionnary or by bruteforce

Disabling remote administration might not have been what he meant exactly. On Linksys routers you can do two different things, you can disable remote management (which to your point does nothing if they're on your network), but you can also disable wireless access to router administration, which does add security, because it requires a wired connection to make changes.

But if it's universal, the hash is irrelevant from a security standpoint because any hacker knows they just have to hash their password table according to the standard hash before going through the other steps.

That was my first thought, but I don't know enough about the subject to know if that was a valid short-coming of the idea.

It still amazes me that Blizzard will sell me a cheap [$6 USD] "authenticator" to allow 2-factor log-in on my World of Warcraft/Diablo 3/StarCraft 2/BattleNet acounts - and a free version of the authenticator for iOS & Android - but none of my financial services providers have ever asked me if I wanted that little bit of added security on my bank account, stock portfolio or 401K account.

Besides changing the password every six months or so and not using a 10-digit phone number, my neighbors could have taken another important step to improve their WiFi security. WPA allows for passwords with 63 characters in them, making it possible to append four or five randomly selected words—"applesmithtrashcancarradar" for instance—that are easy enough to repeat to guests who want to use your wireless network but are prohibitively hard to crack.

Yes it does. Now imagine having to manually type that into a device that has limited input while getting it right? People pick easy passwords not just for memories sake.

You're being as absurd as the person to whom you're replying. There is a happy middle ground that involves picking a reasonably secure password or pass phrase that doesn't involve 63 random characters of varying capitalization combined with numbers and odd characters.

I don't know about you, but it's a heck of a lot easier for me to type lowercase text on my iPhone than to have to Shift to enter numbers and caps (and Shift+Symbol to enter symbols).

MAC filtering is just... I can't... DON'T EVEN BOTHER. You do not actually impede an intruder, and you just make it harder to add legitimate devices to your own wireless network. Double fail. It's like putting up a baby-gate at your front door in case an intruder breaks through the steel door with double locks. Just use a large-enough and random-enough WPA2 password, disable WPS entirely, and call it done.

Wonderful. Anyone know how to make a Radius server, easy to set up and use?

Well I can only speak from personal experience, but using an old, re-purposed Windows 2000 server, it took me about 5 hours to complete setup of a PKI including a root certificate, and create an authentication server, which is actually built-in to Windows Server. I currently have 50 or so users hanging off of this system using individual login/password combos.

...Now learning all about it and figuring out what I needed to implement it? Two weeks?

FreeRADIUS is a good alternative to home users, who can use Windows Home Server (or any other OS, really) to operate it. Combined with OpenSSL, and we're gold. I'm not saying the initial setup is as easy as a pre-shared key -as it most definitely is not- but after the initial config, adding, removing and configuring users is easy cheesy.

EDIT: I just remembered that FreeRADIUS does not run on Windows! You would have to use Linux instead. Sorry. I was thinking of TekRADIUS I believe.

My take away from the article and all the depressing expert comments is that for a determined cracker there is nothing you can do to prevent the cracking. Ironically I think I'm actually going use a free cracking tool for my own router. I forgot the admin password, I guess I made it tooo complicated, lol. I could reset the router but don't want to because I'll have to re-input all the settings, yuk.

The reality is that sheer numbers, not better passwords or configurations, protect most people.

My car or my house could easily get stolen/invaded because it's very easy to break through glass. Hammers are cheap. Rocks are free. So why hasn't it happened to me? Because the number of available cars and houses to break into is so high that a single target has a very low chance of getting hit. If a million homes are invaded each year, that's still less than one percent of the total. So I have over a 99% chance of not getting victimized each year.

Will I get hit eventually? Possibly. But I can't live my life in fear of that day. Nor can I be a computer user in fear of getting hacked. There are billions of computers and accounts around the world. Criminals can't hit all of them.

Bottom-line, there's no way to completely protect yourself. If they want in, they'll get in. But there is safety in numbers. So make a moderate attempt to secure your accounts, realize nothing is hack-proof, and move on with your life.

- - - - -EDIT (ADD)I know this is not the point of the article, but I'm sure I've read before that hacking/cracking is not the most common way for people to gain unauthorized access. More likely methods are "handed out" passwords, unlocked screens, written down codes, malware, etc. I want to say that hacking/cracking is pretty far down the list.

My take away from the article and all the depressing expert comments is that for a determined cracker there is nothing you can do to prevent the cracking. Ironically I think I'm actually going use a free cracking tool for my own router. I forgot the admin password, I guess I made it tooo complicated, lol. I could reset the router but don't want to because I'll have to re-input all the settings, yuk.

That's not true at all - and the article even made note of it. His lowly 8 character password was not cracked because it was not in the dictionary.

WPA2 was very well thought out (unlike WEP) and is basically unbreakable with a sufficient strength password. Just go to https://www.grc.com/passwords.htm and get some random ASCII.

Yes it is a PITA to input, but you only have to do it once, and most WiFi devices have copy/paste.

My main password I use on my password safe is so insanely long. Because I don't change it. I ADD to it. So 4 months later I just add a character to the password making it more and more complex as time goes on.

So how do you remember it?

Sticky note under the keyboard, duh.

Why ? Because under the keyboard? Just have a list of all your passwords written out on paper right next to the monitor. We're trying to protect against cyber crime here, and the average individual probably doesn't have to worry about Watergate-type burglary shenanigans. (NB: does not work for laptops.)